1
Hi guys, what about this hack we made to avoid the visibility of the mail addresses in the activation mail?
In this way a malicious user is not able to create a loop with mail addresses using strings like this one:
http://your_site.com/lostpass.php?email=myemail@mydomain.com&code=f5d2fthis is the crypted link
http://your_site.com/lostpass.php?email=ac512c2a2cf48c528fcbc00874fc9815&code=f5d2f # lostpass.php #
# AROUND LINE 40 #
#####################################################
# hack : EMAIL ADDRESS CRYPTED IN ACTIVATION MAIL
#####################################################
#$getuser =& $member_handler->getUsers(new Criteria
#('email', $myts->addSlashes($email)));
if(isset($_GET['code']))
{
$getuser =& $member_handler->getUsers(new Criteria('MD5(email)', $myts->addSlashes($email)));
}
else
{
$getuser =& $member_handler->getUsers(new Criteria('email', $myts->addSlashes($email)));
}
########################################################
# AROUND LINE 100 #
#$xoopsMailer->assign("NEWPWD_LINK", XOOPS_URL."/lostpass.php?email=".$email."&code=".$areyou); <<<<< HACK EMAIL ADDRESS CRYPTED IN ACTIVATION MAIL
$xoopsMailer->assign("NEWPWD_LINK", XOOPS_URL."/lostpass.php?email=".md5($email)."&code=".$areyou);
Suggestion are welcome!(in particular about better crypt methods)
Thanks
ricketno-osso
